Table: aws_inspector2_finding - Query AWS Inspector findings using SQL
The AWS Inspector is a security assessment service that helps improve the security and compliance of applications deployed on AWS. It automatically assesses applications for vulnerabilities or deviations from best practices, including impacted networks, and insecure configurations. Inspector findings provide detailed information about security vulnerabilities and recommendations for remediation.
Table Usage Guide
The aws_inspector2_finding
table in Steampipe provides you with information about findings identified by AWS Inspector. This table allows you, as a security analyst, to query finding-specific details, including their severity, status, and the resources they are associated with. You can utilize this table to gather insights on potential security issues and vulnerabilities within your AWS resources. The schema outlines the various attributes of the findings, including the finding ARN, creation date, severity, status, and associated resources.
When you run an assessment with AWS Inspector, it analyzes your target resources such as EC2 instances, ECS clusters, or RDS databases and generates findings that highlight security vulnerabilities, potential misconfigurations, and other security-related issues. These findings provide you with detailed information about the identified vulnerabilities, including severity levels, affected resources, and recommended remediation steps.
Examples
Basic info
Explore which security vulnerabilities exist in your AWS infrastructure and determine their severity and whether fixes are available. This can help prioritize remediation efforts and improve overall security posture.
select arn, description, fix_available, inspector_score, severity, finding_account_idfrom aws_inspector2_finding;
select arn, description, fix_available, inspector_score, severity, finding_account_idfrom aws_inspector2_finding;
List findings with high severity
Discover the segments that have high severity findings in your AWS Inspector data. This is useful for prioritizing issues that require immediate attention due to their potential impact on your AWS resources.
select arn, source, vendor_severity, status, severityfrom aws_inspector2_findingwhere severity = 'HIGH';
select arn, source, vendor_severity, status, severityfrom aws_inspector2_findingwhere severity = 'HIGH';
Count the number of findings by severity
Analyze the severity of findings from AWS Inspector to understand the distribution and frequency of issues. This can help prioritize remediation efforts based on the severity of identified problems.
select severity, count(severity)from aws_inspector2_findinggroup by severityorder by severity;
select severity, count(severity)from aws_inspector2_findinggroup by severityorder by severity;
List findings in last 10 days
Discover the segments that have been identified as potential issues within the past 10 days through AWS Inspector. This is beneficial in maintaining system security by allowing you to promptly address any recent findings.
select title, arn, severityfrom aws_inspector2_findingwhere last_observed_at >= now() - interval '10' day;
select title, arn, severityfrom aws_inspector2_findingwhere last_observed_at >= datetime('now', '-10 days');
List suppressed findings
Discover the segments that have been marked as 'suppressed' within your AWS Inspector findings. This can be particularly useful for identifying and managing potential security vulnerabilities that are currently not being addressed.
select arn, status, type, resources, vulnerable_packagesfrom aws_inspector2_findingwhere status = 'SUPPRESSED';
select arn, status, type, resources, vulnerable_packagesfrom aws_inspector2_findingwhere status = 'SUPPRESSED';
List package vulnerability findings
Identify instances where software packages have vulnerabilities in your AWS environment. This helps in proactively addressing potential security risks in your system.
select arn, status, type, resources, vulnerable_packagesfrom aws_inspector2_findingwhere type = 'PACKAGE_VULNERABILITY';
select arn, status, type, resources, vulnerable_packagesfrom aws_inspector2_findingwhere type = 'PACKAGE_VULNERABILITY';
Get resource details of findings
Explore the specific details of identified resources within findings. This enables a deeper understanding of each finding's context and aids in subsequent decision-making processes.
select f.arn as finding_arn, r ->> 'Id' as resource_id, r ->> 'Type' as resource_type, r ->> 'Details' as resource_details, r ->> 'Partition' as partition, r ->> 'Tags' as resource_tagsfrom aws_inspector2_finding as f, jsonb_array_elements(resources) as r;
select f.arn as finding_arn, json_extract(r.value, '$.Id') as resource_id, json_extract(r.value, '$.Type') as resource_type, json_extract(r.value, '$.Details') as resource_details, json_extract(r.value, '$.Partition') as partition, json_extract(r.value, '$.Tags') as resource_tagsfrom aws_inspector2_finding as f, json_each(f.resources) as r;
Get vulnerable package details of findings
Discover the segments that are vulnerable within your system by analyzing the details of problematic packages. This query is useful in identifying potential areas of risk and planning for appropriate remediation measures.
select f.arn, f.vulnerability_id, v ->> 'Name' as vulnerability_package_name, v ->> 'Version' as vulnerability_package_version, v ->> 'Arch' as vulnerability_package_arch, v ->> 'Epoch' as vulnerability_package_epoch, v ->> 'FilePath' as vulnerability_package_file_path, v ->> 'FixedInVersion' as vulnerability_package_fixed_in_version, v ->> 'PackageManager' as vulnerability_package_package_manager, v ->> 'Release' as vulnerability_package_release, v ->> 'Remediation' as vulnerability_package_remediation, v ->> 'SourceLambdaLayerArn' as source_lambda_layer_arn, v ->> 'Name' as source_layer_hashfrom aws_inspector2_finding as f, jsonb_array_elements(vulnerable_packages) as v;
select f.arn, f.vulnerability_id, json_extract(v.value, '$.Name') as vulnerability_package_name, json_extract(v.value, '$.Version') as vulnerability_package_version, json_extract(v.value, '$.Arch') as vulnerability_package_arch, json_extract(v.value, '$.Epoch') as vulnerability_package_epoch, json_extract(v.value, '$.FilePath') as vulnerability_package_file_path, json_extract(v.value, '$.FixedInVersion') as vulnerability_package_fixed_in_version, json_extract(v.value, '$.PackageManager') as vulnerability_package_package_manager, json_extract(v.value, '$.Release') as vulnerability_package_release, json_extract(v.value, '$.Remediation') as vulnerability_package_remediation, json_extract(v.value, '$.SourceLambdaLayerArn') as source_lambda_layer_arn, json_extract(v.value, '$.Name') as source_layer_hashfrom aws_inspector
List exploit available findings
Identify instances where potential vulnerabilities in your AWS infrastructure have known exploits available. This allows you to prioritize urgent threats and address them promptly.
select arn, finding_account_id, first_observed_at, fix_available, exploit_availablefrom aws_inspector2_findingwhere exploit_available = 'YES';
select arn, finding_account_id, first_observed_at, fix_available, exploit_availablefrom aws_inspector2_findingwhere exploit_available = 'YES';
List findings that have fixes available through a version update
Identify potential security issues within your system that can be resolved through a version update. This is beneficial for maintaining system integrity and staying ahead of potential vulnerabilities.
select arn, finding_account_id, first_observed_at, fix_available, exploit_availablefrom aws_inspector2_findingwhere fix_available = 'YES';
select arn, finding_account_id, first_observed_at, fix_available, exploit_availablefrom aws_inspector2_findingwhere fix_available = 'YES';
List top 5 findings by inspector score
Identify instances where there are critical security findings by ranking them based on the severity of the inspector score. This is useful for prioritizing remediation efforts in your AWS environment.
select arn, inspector_score, first_observed_at, last_observed_at inspector_score_detailsfrom aws_inspector2_findingorder by inspector_score desc;
select arn, inspector_score, first_observed_at, last_observed_at, inspector_score_detailsfrom aws_inspector2_findingorder by inspector_score desc;
Get inspector score details of findings
Gain insights into the severity and source of potential security vulnerabilities by analyzing the adjusted CVSS scores of inspection findings. This allows for prioritizing the resolution of the most critical issues and identifying the sources of these vulnerabilities.
select arn, inspector_score_details -> 'AdjustedCvss' ->> 'Score' as adjusted_cvss_score, inspector_score_details -> 'AdjustedCvss' ->> 'ScScoreSourceore' as adjusted_cvss_source_score, inspector_score_details -> 'AdjustedCvss' ->> 'ScoScoringVectorre' as adjusted_cvss_scoring_vector, inspector_score_details -> 'AdjustedCvss' ->> 'Version' as adjusted_cvss_version, inspector_score_details -> 'AdjustedCvss' -> 'Adjustments' as adjusted_cvss_adjustments, inspector_score_details -> 'AdjustedCvss' ->> 'CvssSource' as adjusted_cvss_cvss_sourcefrom aws_inspector2_finding;
select arn, json_extract(inspector_score_details, '$.AdjustedCvss.Score') as adjusted_cvss_score, json_extract( inspector_score_details, '$.AdjustedCvss.ScScoreSourceore' ) as adjusted_cvss_source_score, json_extract( inspector_score_details, '$.AdjustedCvss.ScoScoringVectorre' ) as adjusted_cvss_scoring_vector, json_extract(inspector_score_details, '$.AdjustedCvss.Version') as adjusted_cvss_version, json_extract( inspector_score_details, '$.AdjustedCvss.Adjustments' ) as adjusted_cvss_adjustments, json_extract( inspector_score_details, '$.AdjustedCvss.CvssSource' ) as adjusted_cvss_cvss_sourcefrom aws_inspector2_finding;
Get network reachability details of findings
Discover the segments that are reachable within your network and the open port ranges. This can help to identify potential vulnerabilities or areas for improvement in network security.
select arn, network_reachability_details -> 'NetworkPath' -> 'Steps' as network_pathsteps, network_reachability_details -> 'OpenPortRange' ->> 'Begin' as open_port_range_begin, network_reachability_details -> 'OpenPortRange' ->> 'End' as open_port_range_end, network_reachability_details -> 'Protocol' as protocolfrom aws_inspector2_finding;
select arn, json_extract( network_reachability_details, '$.NetworkPath.Steps' ) as network_pathsteps, json_extract( network_reachability_details, '$.OpenPortRange.Begin' ) as open_port_range_begin, json_extract( network_reachability_details, '$.OpenPortRange.End' ) as open_port_range_end, json_extract(network_reachability_details, '$.Protocol') as protocolfrom aws_inspector2_finding;
List findings by resource tags
Determine the areas in which security findings are linked to specific resource tags. This is particularly useful for identifying potential vulnerabilities within your 'Dev' and 'Prod' environments.
select arn, finding_account_id, first_observed_at, fix_available, exploit_available, resource_tagsfrom aws_inspector2_findingwhere resource_tags = '[{"key": "Name", "value": "Dev"}, {"key": "Name", "value": "Prod"}]';
select arn, finding_account_id, first_observed_at, fix_available, exploit_available, resource_tagsfrom aws_inspector2_findingwhere resource_tags = '[{"key": "Name", "value": "Dev"}, {"key": "Name", "value": "Prod"}]';
List findings by vulnerable packages
Discover the segments that are vulnerable and have potential fixes available. This query is useful to assess the security status of your system and understand where immediate action is required.
select arn, finding_account_id, first_observed_at, fix_available, exploit_available, vulnerable_packagefrom aws_inspector2_findingwhere vulnerable_package = '[{"architecture": "arc", "epoch": "231321", "name": "myVulere", "release": "v0.2.0", "sourceLambdaLayerArn": "arn:aws:lambda:us-west-2:123456789012:layer:my-layer:1", "sourceLayerHash": "dbasjkhda872", "version": "v0.1.0"}]';
select arn, finding_account_id, first_observed_at, fix_available, exploit_available, vulnerable_packagefrom aws_inspector2_findingwhere vulnerable_package = '[{"architecture": "arc", "epoch": "231321", "name": "myVulere", "release": "v0.2.0", "sourceLambdaLayerArn": "arn:aws:lambda:us-west-2:123456789012:layer:my-layer:1", "sourceLayerHash": "dbasjkhda872", "version": "v0.1.0"}]';
Schema for aws_inspector2_finding
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
account_id | text | =, !=, ~~, ~~*, !~~, !~~* | The AWS Account ID in which the resource is located. |
akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
arn | text | =, != | The Amazon Resource Number (ARN) of the finding. |
component_id | text | =, != | The component ID of the resource. |
component_type | text | =, != | The component type. |
cvss | jsonb | An object that contains details about the CVSS score of a finding. | |
description | text | The description of the finding. | |
ec2_instance_image_id | text | =, != | The Amazon EC2 instance image ID. |
ec2_instance_subnet_id | text | =, != | The Amazon EC2 instance subnet ID. |
ec2_instance_vpc_id | text | =, != | The Amazon EC2 instance VPC ID. |
ecr_image_architecture | text | =, != | The Amazon ECR image architecture. |
ecr_image_hash | text | =, != | The Amazon ECR image hash. |
ecr_image_pushed_at | timestamp with time zone | <=, >= | The Amazon ECR image push date and time. |
ecr_image_registry | text | =, != | The Amazon ECR registry. |
ecr_image_repository_name | text | =, != | The name of the Amazon ECR repository. |
ecr_image_tags | text | =, != | The tags attached to the Amazon ECR container image. |
epss_score | double precision | <=, >= | The finding's EPSS score. |
exploit_available | text | =, != | If a finding discovered in your environment has an exploit available. Valid values are: YES | NO. |
exploitability_details | jsonb | The details of an exploit available for a finding discovered in your environment. | |
finding_account_id | text | =, != | The Amazon Web Services account ID associated with the finding. |
first_observed_at | timestamp with time zone | <=, >= | The date and time that the finding was first observed. |
fix_available | text | =, != | Details on whether a fix is available through a version update. Valid values are: YES | NO | PARTIAL. |
inspector_score | double precision | <=, >= | The Amazon Inspector score given to the finding. |
inspector_score_details | jsonb | An object that contains details of the Amazon Inspector score. | |
lambda_function_execution_role_arn | text | =, != | The AWS Lambda function execution role ARN. |
lambda_function_last_modified_at | timestamp with time zone | <=, >= | The AWS Lambda functions the date and time that a user last updated the configuration. |
lambda_function_layers | text | =, != | The AWS Lambda function layer. |
lambda_function_name | text | =, != | The AWS Lambda function name. |
lambda_function_runtime | text | =, != | The AWS Lambda function runtime environment. |
last_observed_at | timestamp with time zone | <=, >= | The date and time that the finding was last observed. |
network_protocol | text | =, != | The ingress source addresse. |
network_reachability_details | jsonb | An object that contains the details of a network reachability finding. | |
package_vulnerability_details | jsonb | An object that contains the details of a package vulnerability finding. | |
partition | text | The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov). | |
reference_urls | jsonb | One or more URLs that contain details about this vulnerability type. | |
region | text | The AWS Region in which the resource is located. | |
related_vulnerabilitie | text | =, != | The related vulnerabilitie. |
related_vulnerabilities | jsonb | One or more vulnerabilities related to the one identified in this finding. | |
remediation_recommendation_text | text | The recommended course of action to remediate the finding. | |
remediation_recommendation_url | text | The URL address to the CVE remediation recommendations. | |
resource_id | text | =, != | The ID of the resource. |
resource_tags | jsonb | = | Details on the resource tags used to filter findings. |
resource_type | text | =, != | The resource type supported by AWS. |
resources | jsonb | Contains information on the resources involved in a finding. | |
severity | text | =, != | The severity of the finding. Valid values are: INFORMATIONAL | LOW | MEDIUM | HIGH | CRITICAL | UNTRIAGED. |
source | text | =, != | The source of the vulnerability information. |
source_url | text | A URL to the source of the vulnerability information. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
status | text | =, != | The status of the finding. Valid values are: ACTIVE | SUPPRESSED | CLOSED. |
title | text | =, != | The title of the finding. |
type | text | =, != | The type of the finding. Valid values are: NETWORK_REACHABILITY | PACKAGE_VULNERABILITY | CODE_VULNERABILITY. |
updated_at | timestamp with time zone | <=, >= | The date and time the finding was last updated at. |
vendor_created_at | timestamp with time zone | The date and time that this vulnerability was first added to the vendor’s database. | |
vendor_severity | text | =, != | The severity the vendor has given to this vulnerability type. |
vendor_updated_at | timestamp with time zone | The date and time the vendor last updated this vulnerability in their database. | |
vulnerability_id | text | =, != | The ID given to this vulnerability. |
vulnerable_package | jsonb | = | The package impacted by this vulnerability. |
vulnerable_packages | jsonb | The packages impacted by this vulnerability. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws
You can pass the configuration to the command with the --config
argument:
steampipe_export_aws --config '<your_config>' aws_inspector2_finding